Trust

Security & compliance.

Where we are today, and where we’re going. Honest about the gaps, because we’re early.

Authentication

Supabase Auth with email + password and (soon) UAE Pass OIDC. Sessions are cookies, HTTP-only, SameSite=Lax, Secure in production.

Every tenant-scoped table has Postgres Row-Level Security enabled. Per-request app.organization_id GUC scopes all queries.

TLS 1.3 in transit. AES-256 at rest on managed Postgres. Per-tenant field-level encryption planned for sensitive PII (Emirates ID, salary).

Append-only audit_logs table with hash-chained entries. Every change records actor, IP, before/after, with cryptographic chain for tamper-evidence.

Currently Supabase EU. Migrating to AWS me-central-1 (Dubai) before our first DIFC/ADGM customer or AED 50K MRR, whichever comes first.

SOC 2 Type 1 targeted month 9, Type 2 month 18. ISO 27001 prep starts when SOC 2 lands. UAE PDPL controls baked in from day one.

Found something? Email security@taxfiler.ae. We’ll respond within 24 hours.